[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[  129.708600][   T32] kauditd_printk_skb: 4 callbacks suppressed
[  129.708645][   T32] audit: type=1800 audit(1582417152.761:39): pid=11825 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[  129.737638][   T32] audit: type=1800 audit(1582417152.771:40): pid=11825 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0
[  130.857297][   T32] audit: type=1400 audit(1582417153.911:41): avc:  denied  { map } for  pid=11999 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[  130.915169][T11997] sshd (11997) used greatest stack depth: 3352 bytes left

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.232' (ECDSA) to the list of known hosts.
syzkaller login: [  142.763273][   T32] audit: type=1400 audit(1582417165.821:42): avc:  denied  { map } for  pid=12011 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2020/02/23 00:19:26 parsed 1 programs
[  148.048831][   T32] audit: type=1400 audit(1582417171.101:43): avc:  denied  { integrity } for  pid=12011 comm="syz-execprog" lockdown_reason="debugfs access" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=lockdown permissive=1
[  148.158915][   T32] audit: type=1400 audit(1582417171.211:44): avc:  denied  { map } for  pid=12011 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=35 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
2020/02/23 00:19:34 executed programs: 0
[  151.740958][T12028] IPVS: ftp: loaded support on port[0] = 21
[  151.862712][T12028] chnl_net:caif_netlink_parms(): no params data found
[  151.953887][T12028] bridge0: port 1(bridge_slave_0) entered blocking state
[  151.961213][T12028] bridge0: port 1(bridge_slave_0) entered disabled state
[  151.970162][T12028] device bridge_slave_0 entered promiscuous mode
[  151.980998][T12028] bridge0: port 2(bridge_slave_1) entered blocking state
[  151.988503][T12028] bridge0: port 2(bridge_slave_1) entered disabled state
[  151.997213][T12028] device bridge_slave_1 entered promiscuous mode
[  152.028391][T12028] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  152.054096][T12028] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  152.085478][T12028] team0: Port device team_slave_0 added
[  152.096954][T12028] team0: Port device team_slave_1 added
[  152.123971][T12028] batman_adv: batadv0: Adding interface: batadv_slave_0
[  152.131013][T12028] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[  152.158082][T12028] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[  152.172942][T12028] batman_adv: batadv0: Adding interface: batadv_slave_1
[  152.179988][T12028] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[  152.206379][T12028] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[  152.277057][T12028] device hsr_slave_0 entered promiscuous mode
[  152.333306][T12028] device hsr_slave_1 entered promiscuous mode
[  152.513010][   T32] audit: type=1400 audit(1582417175.561:45): avc:  denied  { create } for  pid=12028 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[  152.539786][   T32] audit: type=1400 audit(1582417175.601:46): avc:  denied  { write } for  pid=12028 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[  152.544071][T12028] netdevsim netdevsim0 netdevsim0: renamed from eth0
[  152.565244][   T32] audit: type=1400 audit(1582417175.601:47): avc:  denied  { read } for  pid=12028 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[  152.618672][T12028] netdevsim netdevsim0 netdevsim1: renamed from eth1
[  152.678513][T12028] netdevsim netdevsim0 netdevsim2: renamed from eth2
[  152.738888][T12028] netdevsim netdevsim0 netdevsim3: renamed from eth3
[  152.834477][T12028] bridge0: port 2(bridge_slave_1) entered blocking state
[  152.841806][T12028] bridge0: port 2(bridge_slave_1) entered forwarding state
[  152.849860][T12028] bridge0: port 1(bridge_slave_0) entered blocking state
[  152.857934][T12028] bridge0: port 1(bridge_slave_0) entered forwarding state
[  152.896837][ T4131] bridge0: port 1(bridge_slave_0) entered disabled state
[  152.905396][ T4131] bridge0: port 2(bridge_slave_1) entered disabled state
[  152.981312][T12028] 8021q: adding VLAN 0 to HW filter on device bond0
[  153.006162][ T4131] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  153.016634][ T4131] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  153.033000][T12028] 8021q: adding VLAN 0 to HW filter on device team0
[  153.048378][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  153.058351][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  153.067721][   T30] bridge0: port 1(bridge_slave_0) entered blocking state
[  153.075072][   T30] bridge0: port 1(bridge_slave_0) entered forwarding state
[  153.092404][ T4131] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  153.103266][ T4131] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  153.112740][ T4131] bridge0: port 2(bridge_slave_1) entered blocking state
[  153.120410][ T4131] bridge0: port 2(bridge_slave_1) entered forwarding state
[  153.140071][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[  153.163104][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[  153.185520][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[  153.195377][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  153.205151][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[  153.215631][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  153.228304][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  153.242960][ T4131] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  153.252112][ T4131] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  153.274242][ T4131] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[  153.283688][ T4131] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  153.298904][T12028] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  153.334913][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[  153.342466][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[  153.365760][T12028] 8021q: adding VLAN 0 to HW filter on device batadv0
[  153.405354][ T4131] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[  153.415426][ T4131] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[  153.451819][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[  153.461224][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[  153.478619][T12028] device veth0_vlan entered promiscuous mode
[  153.486976][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[  153.496238][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[  153.520282][T12028] device veth1_vlan entered promiscuous mode
[  153.567838][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[  153.576669][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[  153.586060][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[  153.595999][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[  153.611653][T12028] device veth0_macvtap entered promiscuous mode
[  153.629847][T12028] device veth1_macvtap entered promiscuous mode
[  153.665952][T12028] batman_adv: batadv0: Interface activated: batadv_slave_0
[  153.673767][ T4131] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[  153.682424][ T4131] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[  153.691693][ T4131] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[  153.701160][ T4131] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[  153.722974][T12028] batman_adv: batadv0: Interface activated: batadv_slave_1
[  153.731381][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[  153.741412][   T30] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[  153.988857][   T32] audit: type=1400 audit(1582417177.041:48): avc:  denied  { associate } for  pid=12028 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
[  154.849339][T12114] =====================================================
[  154.856344][T12114] BUG: KMSAN: use-after-free in __list_add_valid+0x280/0x420
[  154.863851][T12114] CPU: 0 PID: 12114 Comm: syz-executor.0 Not tainted 5.6.0-rc2-syzkaller #0
[  154.872532][T12114] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  154.882693][T12114] Call Trace:
[  154.886019][T12114]  dump_stack+0x1c9/0x220
[  154.890365][T12114]  kmsan_report+0xf7/0x1e0
[  154.894821][T12114]  __msan_warning+0x58/0xa0
[  154.899320][T12114]  __list_add_valid+0x280/0x420
[  154.904195][T12114]  rdma_listen+0x623/0x10b0
[  154.908685][T12114]  ? kmsan_set_origin_checked+0x95/0xf0
[  154.914232][T12114]  ? kmsan_get_metadata+0x11d/0x180
[  154.919424][T12114]  ucma_listen+0x36c/0x5e0
[  154.923858][T12114]  ? ucma_connect+0xa40/0xa40
[  154.928640][T12114]  ucma_write+0x5c5/0x630
[  154.932966][T12114]  ? ucma_get_global_nl_info+0xe0/0xe0
[  154.938434][T12114]  __vfs_write+0x1a9/0xca0
[  154.942854][T12114]  ? rw_verify_area+0x2c4/0x5b0
[  154.947708][T12114]  ? kmsan_get_metadata+0x11d/0x180
[  154.952913][T12114]  vfs_write+0x44a/0x8f0
[  154.957171][T12114]  ksys_write+0x267/0x450
[  154.961601][T12114]  __ia32_sys_write+0xdb/0x120
[  154.966412][T12114]  ? __se_sys_write+0xb0/0xb0
[  154.971084][T12114]  do_fast_syscall_32+0x3c7/0x6e0
[  154.976118][T12114]  entry_SYSENTER_compat+0x68/0x77
[  154.981254][T12114] RIP: 0023:0xf7f7ad99
[  154.985319][T12114] Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[  155.005795][T12114] RSP: 002b:00000000f7f750cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004
[  155.014305][T12114] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200001c0
[  155.022452][T12114] RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000000
[  155.030424][T12114] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  155.038393][T12114] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  155.046422][T12114] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  155.055097][T12114] 
[  155.057419][T12114] Uninit was created at:
[  155.061786][T12114]  kmsan_internal_poison_shadow+0x66/0xd0
[  155.067518][T12114]  kmsan_slab_free+0x6e/0xb0
[  155.072095][T12114]  kfree+0x565/0x30a0
[  155.076075][T12114]  free_pipe_info+0x40f/0x440
[  155.081353][T12114]  pipe_release+0x46c/0x590
[  155.085857][T12114]  __fput+0x4c7/0xb90
[  155.089868][T12114]  ____fput+0x37/0x40
[  155.093833][T12114]  task_work_run+0x214/0x2b0
[  155.098449][T12114]  prepare_exit_to_usermode+0x3c8/0x520
[  155.104090][T12114]  syscall_return_slowpath+0x95/0x5f0
[  155.109511][T12114]  do_syscall_64+0xde/0x160
[  155.114014][T12114]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  155.119885][T12114] =====================================================
[  155.126807][T12114] Disabling lock debugging due to kernel taint
[  155.133042][T12114] Kernel panic - not syncing: panic_on_warn set ...
[  155.139641][T12114] CPU: 0 PID: 12114 Comm: syz-executor.0 Tainted: G    B             5.6.0-rc2-syzkaller #0
[  155.149854][T12114] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  155.159953][T12114] Call Trace:
[  155.163247][T12114]  dump_stack+0x1c9/0x220
[  155.167582][T12114]  panic+0x3d5/0xc3e
[  155.171509][T12114]  kmsan_report+0x1df/0x1e0
[  155.176146][T12114]  __msan_warning+0x58/0xa0
[  155.180916][T12114]  __list_add_valid+0x280/0x420
[  155.185894][T12114]  rdma_listen+0x623/0x10b0
[  155.191367][T12114]  ? kmsan_set_origin_checked+0x95/0xf0
[  155.197876][T12114]  ? kmsan_get_metadata+0x11d/0x180
[  155.203331][T12114]  ucma_listen+0x36c/0x5e0
[  155.207882][T12114]  ? ucma_connect+0xa40/0xa40
[  155.212577][T12114]  ucma_write+0x5c5/0x630
[  155.217877][T12114]  ? ucma_get_global_nl_info+0xe0/0xe0
[  155.223339][T12114]  __vfs_write+0x1a9/0xca0
[  155.227808][T12114]  ? rw_verify_area+0x2c4/0x5b0
[  155.232651][T12114]  ? kmsan_get_metadata+0x11d/0x180
[  155.237848][T12114]  vfs_write+0x44a/0x8f0
[  155.242212][T12114]  ksys_write+0x267/0x450
[  155.246550][T12114]  __ia32_sys_write+0xdb/0x120
[  155.251307][T12114]  ? __se_sys_write+0xb0/0xb0
[  155.255979][T12114]  do_fast_syscall_32+0x3c7/0x6e0
[  155.261010][T12114]  entry_SYSENTER_compat+0x68/0x77
[  155.266134][T12114] RIP: 0023:0xf7f7ad99
[  155.270204][T12114] Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[  155.289827][T12114] RSP: 002b:00000000f7f750cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004
[  155.298269][T12114] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200001c0
[  155.306560][T12114] RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000000
[  155.314535][T12114] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  155.322511][T12114] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  155.330526][T12114] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  155.340036][T12114] Kernel Offset: 0x21000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[  155.351679][T12114] Rebooting in 86400 seconds..